Keeping SingPass accounts safe

As government services become more digitised and cyber threats increase, there is a need to better protect users' SingPass accounts, especially when they involve highly confidential information, such as personal financial and health records ("Simplify steps needed for stepped-up SingPass security"; Oct 28).

In line with best practices around the world, SingPass introduced a two-step verification (2FA) process.

The first step requires the SingPass username and password (to access general e-services), and the second step requires a one-time password (OTP) sent via SMS or generated through a OneKey token (to access e-services displaying sensitive data).

We are mindful that these layers of verification may inconvenience users, but they are necessary to protect users' accounts against cyber threats.

The Government's journey to implementing 2FA started a few years ago, with the introduction of the National Authentication Framework (NAF) in 2011.

A 2FA tender was called in 2012 but not awarded, as not all requirements were met.

In the Oct 28 commentary, tech editor Irene Tham suggested "(doing) away with a static password, which people often forget".

Her suggestion is inconsistent with good security practice worldwide.

This password needs to be in place as the first layer of security - removing it and reverting to a single factor (that is, using only token or SMS OTP) is regressive.

Ms Tham's suggestion to allow existing OneKey token users to choose between SMS and token for their SingPass 2FA is already in place.

She also advocated that the 2FA set-up process be further streamlined.

As we have announced on Sept 30, users will not need to manually register and link their mobile number or token with their SingPass accounts from the end of next month - thus simplifying the three-step process to just one.

Given today's rapidly evolving cyber landscape, we will continue to improve SingPass to better meet the needs of our users, without compromising security.

Users, too, should protect their personal information by adopting good cyber-security practices.

Lim Keng Soon
Deputy Director
Government and Policy Communications
Infocomm Development Authority of Singapore

A version of this article appeared in the print edition of The Straits Times on November 05, 2015, with the headline 'Keeping SingPass accounts safe'. Print Edition | Subscribe